Main Vulnerability Database SB2016100201

SB2016100201 - Fedora EPEL 6 update for php-symfony

Published: October 2, 2016 Updated: April 24, 2025

Security Bulletin ID SB2016100201

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cryptographic issues (CVE-ID: CVE-2016-1902)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

2) Resource management error (CVE-ID: CVE-2016-4423)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e3428efd3c